LEGAL

Data Processing Addendum

This Data Processing Addendum ("Addendum" or "DPA") is entered into by and between Lotly Software LLC, a Nevada limited liability company, which operates the MHPSales.ai website and service ("Company," "MHPSales," "we," "us," or "our"), and the mobile-home-park owner/operator or manufactured-home dealer that subscribes to the Service ("Customer," "you"). Company and Customer are each a "party" and together the "parties."

This Addendum is incorporated into and forms part of the Master Services Agreement between the parties (the "MSA," and together with this Addendum, the Acceptable Use Policy, any Order Form, and Company's published policies, the "Agreement"). It governs Company's processing of Personal Information that Company processes on Customer's behalf in providing the MHPSales.ai AI voice/text/email agent, dashboard, and related features (the "Service"). By clicking to accept, executing an Order Form that references the MSA, or continuing to use the Service, Customer agrees to this Addendum. The parties intend this Addendum to be a valid electronic agreement under the federal E-SIGN Act and the Uniform Electronic Transactions Act.

The Service is operated by Lotly Software LLC and is powered by Lotly's platform. Tenant/park applications initiated through the Service are processed and screened by Lotly's screening service under Lotly's own applicant terms and FCRA disclosures; MHPSales is not a consumer reporting agency and makes no tenancy or credit decisions. This Addendum does not govern FCRA-regulated screening data, which is addressed in Section 13.


1. Definitions

Capitalized terms used but not defined in this Addendum have the meanings given in the MSA. As used in this Addendum:

"Applicable Privacy Law" means all U.S. federal, state, and local data-protection and privacy laws applicable to the processing of Personal Information under this Addendum, including the California Consumer Privacy Act, as amended by the California Privacy Rights Act (Cal. Civ. Code § 1798.100 et seq.) and its implementing regulations (11 Cal. Code Regs. §§ 7000 et seq.) (together, the "CCPA"); the Virginia Consumer Data Protection Act (Va. Code Ann. § 59.1-575 et seq.); the Colorado Privacy Act (Colo. Rev. Stat. § 6-1-1301 et seq.); the Connecticut Data Privacy Act; the Texas Data Privacy and Security Act; and every other comprehensive U.S. state privacy law in effect from time to time.

"Business" / "Controller" means the entity that, alone or jointly, determines the purposes and means of processing Personal Information. For Personal Information processed under this Addendum, Customer is the Business/Controller.

"Service Provider" / "Contractor" / "Processor" means an entity that processes Personal Information on behalf of, and at the direction of, a Business/Controller under a written contract. For Personal Information processed under this Addendum, Company is the Service Provider/Contractor (CCPA) and Processor (all other state laws).

"Personal Information" or "Personal Data" means information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household, and that Company processes on Customer's behalf under this Addendum. It comprises "Lead Data" (contact and communication information about the prospective buyers or renters that Customer directs the Service to contact) and "Applicant Data" (rental/park-application information submitted through the Service), in each case as further described in Appendix A. Personal Information does not include information that is Deidentified or that is exempt under Applicable Privacy Law.

"Sale" / "Sell" has the meaning in Cal. Civ. Code § 1798.140(ad): disclosing Personal Information to a third party for monetary or other valuable consideration.

"Share" / "Sharing" has the meaning in Cal. Civ. Code § 1798.140(ah): disclosing Personal Information to a third party for cross-context behavioral advertising.

"Sensitive Personal Information" ("SPI") has the meaning in Cal. Civ. Code § 1798.140(ae), and includes, as applicable, Social Security, driver's-license, state-identification, or passport numbers; financial-account information together with any required access credential; precise geolocation; and the contents of communications not directed to the business.

"Deidentified" means information that cannot reasonably be used to infer information about, or otherwise be linked to, a particular consumer, and that is processed in accordance with the safeguards required by Applicable Privacy Law.

"Consumer" or "Lead" means an individual prospective buyer or renter, or an applicant, whose Personal Information is processed under this Addendum. "Sub-processor" means a third party engaged by Company to process Personal Information in providing the Service. "Order Form," "Documentation," and "Confidential Information" have the meanings given in the MSA.


2. Roles and Scope of Processing

2.1 Roles. With respect to Lead Data and Applicant Data that Company processes to provide the Service, the parties agree that Customer is the "business," "controller," or equivalent, and Company is the "service provider," "contractor," or "processor," as those terms are defined under the CCPA and every other Applicable Privacy Law. Company processes such Personal Information solely on Customer's documented instructions and for the limited and specified purpose of performing the Service, and for no other purpose. All processing, including any outbound communication carried out through the Service, is performed solely on the Customer's documented instructions and at the Customer's initiation; Company does not determine the means or purposes of contacting any individual.

2.2 Customer's own data. Company separately acts as a "business"/"controller" for personal information it collects about visitors to its websites, prospective and current Customer personnel, billing contacts, and its own business operations. That processing is governed by Company's public Privacy Policy and is outside the scope of this Addendum.

2.3 Customer responsibilities. Customer, as Business/Controller, is responsible for establishing a lawful basis for the processing; for providing all legally required notices (including notice at collection) to, and obtaining all legally required consents (including sensitive-data consents and call-recording consents) from, the Consumers whose information Customer directs Company to process; and for the accuracy and lawfulness of its processing instructions. Customer's processing instructions are set out in the Agreement, this Addendum, and Appendix A, together with any further written instructions Customer gives that are consistent with the Agreement. Customer's obligations regarding telemarketing, do-not-call, calling-time, caller-identification, and call-recording consent are governed by the MSA and the Acceptable Use Policy and are not modified by this Addendum.

2.4 Compliance with law. Company shall comply with the obligations applicable to it as a Service Provider/Processor under Applicable Privacy Law. Company shall notify Customer if, in Company's reasonable opinion, an instruction from Customer infringes Applicable Privacy Law, in which case Company may suspend performance of the affected instruction until it is amended, without liability.


3. Details of Processing

The subject matter, nature, and purpose of the processing, the duration of the processing, the categories of Personal Information, and the categories of Consumers are set out in Appendix A (Processing Details), which the parties may update by written agreement or by Order Form.


4. Company's Obligations as Service Provider / Contractor (CCPA)

4.1 Limited and specified purpose. Company shall collect, retain, use, and disclose the Personal Information solely for the limited and specified business purposes set out in Appendix A of performing the Service for and on behalf of Customer, and for no other purpose, including no "commercial purpose" except as permitted by the CCPA.

4.2 Service Provider / Contractor covenants. Company shall not:

(a) sell or share (as defined in Cal. Civ. Code § 1798.140(ad) and (ah)) the Personal Information;

(b) retain, use, or disclose the Personal Information for any purpose other than the specific business purposes set out in Appendix A, including any commercial purpose, except as permitted by the CCPA;

(c) retain, use, or disclose the Personal Information outside the direct business relationship between the parties; or

(d) combine the Personal Information with personal information Company receives from, or on behalf of, any other person, or collects from its own interaction with the Consumer, except as permitted by 11 Cal. Code Regs. § 7050(a).

4.3 Certification. Company understands the restrictions in Section 4.2 and in Cal. Civ. Code § 1798.140(ag) and (j), and certifies that it will comply with them.

4.4 Right to ensure compliance; notice of inability. Customer may take reasonable and appropriate steps to ensure that Company uses the Personal Information in a manner consistent with Customer's obligations under the CCPA, and to stop and remediate any unauthorized use of Personal Information. Company shall notify Customer within five (5) business days if it determines that it can no longer meet its obligations under the CCPA.

4.5 No monetization; not a data broker. Company is not a "data broker" as defined under Cal. Civ. Code § 1798.99.80 or comparable Texas, Oregon, or Vermont law: Company processes Personal Information solely as a Service Provider/Processor on Customer's behalf and does not sell that information. Company will not sell, license, or otherwise monetize Lead Data or Applicant Data outside its provision of the Service to the applicable Customer.

4.6 De-identified and aggregated data. Company may create and use de-identified and aggregated data derived from the Personal Information to build, improve, and secure its services, provided it maintains and does not attempt to re-identify such data and processes it in accordance with 11 Cal. Code Regs. § 7050 and Applicable Privacy Law. This right is consistent with, and does not enlarge Company's rights beyond, Section 9.4 of the MSA.


5. Processor Obligations (All State Privacy Laws)

In addition to Section 4, and to satisfy the processor-contract requirements of Va. Code Ann. § 59.1-579(B), Colo. Rev. Stat. § 6-1-1305, Conn. Gen. Stat. § 42-524, and the parallel provisions of every other Applicable Privacy Law, Company shall:

(a) process Personal Information only per Customer's documented instructions and the processing details in Appendix A;

(b) ensure that persons authorized to process the Personal Information are bound by confidentiality (Section 6);

(c) implement and maintain appropriate technical and organizational security measures (Section 7 and Appendix B);

(d) engage Sub-processors only under a written contract imposing the same data-protection obligations, and maintain a current Sub-processor list (Appendix C) with prior notice of changes and a right to object (Section 8);

(e) taking into account the nature of the processing, assist Customer with Consumer-rights requests, security-incident notification, and data-protection assessments (Section 9);

(f) make available to Customer information reasonably necessary to demonstrate compliance with this Addendum and Applicable Privacy Law and allow for and contribute to assessments and audits (Section 11); and

(g) at Customer's direction, delete or return all Personal Information at the end of the Service, except as required to be retained by law (Section 10).


6. Confidentiality of Personnel

Company shall ensure that each person it authorizes to process the Personal Information (including employees, contractors, and agents) is subject to a duty of confidentiality — whether a contractual or statutory obligation — with respect to the Personal Information, is informed of the confidential nature of the Personal Information, and processes it only as necessary to perform the Service. Company limits access to the Personal Information to personnel who need it to perform Company's obligations under the Agreement.


7. Security Measures

7.1 Program. Company maintains a written information-security program with reasonable administrative, technical, physical, and organizational safeguards designed to protect Personal Information against unauthorized or unlawful access, use, disclosure, alteration, loss, or destruction, appropriate to the nature of the Personal Information and the risks of the processing, consistent with the reasonable-security duty of Cal. Civ. Code § 1798.81.5 and, to the extent any Personal Information constitutes "nonpublic personal information," the standards of the FTC Safeguards Rule, 16 C.F.R. Part 314. Company's current measures are described in Appendix B (Security Measures).

7.2 Encryption of high-risk data. Company's measures include encryption of Social Security numbers and financial-account information in transit and at rest.

7.3 No absolute guarantee. No system is perfectly secure, and Company does not guarantee absolute security. Company shall review and, as appropriate, update its security measures over time; any updated measures will be no less protective than those described in Appendix B.


8. Sub-processors

8.1 Authorization. Customer authorizes Company to engage the Sub-processors listed in Appendix C (Sub-processors) to process Personal Information in providing the Service.

8.2 Flow-down. Company shall engage each Sub-processor only under a written contract that imposes data-protection obligations no less protective than those in this Addendum, including, where applicable, the CCPA service-provider/contractor restrictions and the requirement that the Sub-processor process Personal Information only for the specified business purposes. Company remains responsible for each Sub-processor's performance of its data-protection obligations to the same extent Company would be responsible if performing the services directly.

8.3 New Sub-processors; objection. Company will give Customer prior notice (which may be given by email or through the dashboard, or by updating the list of Sub-processors set out in Appendix C, which Company will keep current) of any intended addition or replacement of a Sub-processor and a reasonable opportunity to object on reasonable, data-protection-related grounds. If Customer reasonably objects and the parties cannot resolve the objection, Customer's sole remedy is to terminate the affected portion of the Service in accordance with the MSA.

8.4 Screening partners. Tenant/applicant screening is performed by Lotly and its consumer reporting agency partners under the Fair Credit Reporting Act; that processing is addressed in Section 13 and Appendix C.


9. Assistance; Security-Incident Notification

9.1 Consumer-rights requests. Taking into account the nature of the processing, Company shall assist Customer, by appropriate technical and organizational measures, in fulfilling Customer's obligations to respond to verifiable Consumer requests to access, delete, correct, opt out, limit, or obtain a portable copy under Applicable Privacy Law. If Company receives a request directly from a Consumer regarding Lead Data or Applicant Data, Company shall not respond on the merits and shall promptly forward the request to Customer. Upon Customer's documented instruction or a forwarded deletion request, Company shall delete, correct, or limit the relevant Personal Information and instruct its Sub-processors to do the same, except where retention is required by law (including the Fair Credit Reporting Act) or the information is exempt.

9.2 Data-protection assessments. Taking into account the nature of the processing and the information available to Company, Company shall provide reasonable assistance to Customer with any data-protection assessment or similar assessment that Customer is required to conduct under Applicable Privacy Law in connection with the Service.

9.3 Security incidents; breach notification. Company shall notify Customer without undue delay after becoming aware of a breach of security leading to the accidental or unlawful destruction, loss, alteration, or unauthorized disclosure of or access to Personal Information processed by Company or its Sub-processors (a "Security Incident"). The notice shall describe, to the extent then known and as it becomes available, the nature of the Security Incident, the categories and approximate number of Consumers and records affected, the likely consequences, and the measures taken or proposed to address it. Company shall take reasonable steps to mitigate and, where possible, remediate the Security Incident. As between the parties, Customer, as Business/Controller, is responsible for determining whether the Security Incident requires notification to Consumers or regulators and for making any such notifications; Company's notice under this Section is not an acknowledgment of fault or liability.


10. Retention; Return or Deletion

10.1 Retention. Company retains Personal Information only for as long as reasonably necessary and proportionate to the purposes described in this Addendum, in accordance with Company's written data-retention schedule, or where a longer period is directed by the Customer as Business/Controller, or is reasonably necessary to establish, exercise, or defend legal claims (including proof of consent and of the recording disclosure), or is required by law. This retention standard is aligned with, and is intended to be read consistently with, the retention provisions of Company's Privacy Policy so that the two cannot be played against each other.

10.2 Return or deletion. Within thirty (30) days after termination or expiration of the Service, Company shall, at Customer's election, delete or return all Personal Information processed on Customer's behalf and delete existing copies, except (a) copies retained in routine backups that are overwritten in the ordinary course and remain inaccessible in the interim, and (b) information Company is required to retain by applicable law, including the Fair Credit Reporting Act and records-retention obligations. Any Personal Information retained under this Section remains subject to the confidentiality and security terms of this Addendum for so long as it is retained.


11. Audit and Verification

11.1 Demonstrating compliance. Company shall make available to Customer information reasonably necessary to demonstrate Company's compliance with this Addendum. Company may satisfy this obligation by providing Customer, on written request no more than once every twelve (12) months (absent a Security Incident affecting Customer's Personal Information or a reasonable, documented suspicion of Company's non-compliance), with a copy of its then-current third-party audit report, security certifications, and/or responses to a reasonable, industry-standard security questionnaire.

11.2 Assessments. To the extent the reports and questionnaire responses under Section 11.1 are insufficient to satisfy an audit or assessment right that Applicable Privacy Law makes non-waivable, Customer (or a mutually agreed, independent, and suitably qualified auditor bound by confidentiality) may conduct an assessment of Company's relevant processing on at least thirty (30) days' prior written notice, no more than once every twelve (12) months, during regular business hours, in a manner that does not unreasonably disrupt Company's operations, does not access other customers' data or Company's Confidential Information beyond what is strictly necessary, and is subject to Company's reasonable security and confidentiality requirements. Customer bears its own and Company's reasonable costs of any assessment beyond the report-based verification in Section 11.1.


12. Cross-Border Transfers

Company processes and stores Personal Information in the United States. Customer authorizes Company and its Sub-processors to process Personal Information in the jurisdictions identified in Appendix D (Approved Jurisdictions). Company will not transfer Personal Information to a jurisdiction other than an Approved Jurisdiction without Customer's consent or an updated Appendix D, and any such transfer will be made under appropriate safeguards where required by Applicable Privacy Law.


13. FCRA Screening Carve-Out

When a Consumer submits a rental or park application through the Service, the information used to screen the applicant (including credit, income-verification, and background information) is collected, used, and disclosed as permitted by and subject to the federal Fair Credit Reporting Act (15 U.S.C. § 1681 et seq.) and is handled by Lotly and its consumer reporting agency partners, which act as the appropriate parties under the FCRA. Because that information is regulated by the FCRA, it is exempt from the Consumer-rights provisions of Applicable Privacy Law (Cal. Civ. Code § 1798.145(d) and state analogues, including Va. Code § 59.1-586 and Colo. Rev. Stat. § 6-1-1304(2)) and is governed by Lotly's applicant terms, FCRA disclosures, and authorizations; the Customer (property owner/manager) is the end user of any consumer report and is solely responsible for adverse-action notices under 15 U.S.C. § 1681m. MHPSales is not a consumer reporting agency, does not furnish consumer reports, and does not make tenancy, credit, or eligibility decisions. This FCRA exemption does not apply to, and nothing in this Section limits, the parties' obligations regarding reasonable security or the data-breach provisions of Cal. Civ. Code § 1798.150.

Company is not a bank, lender, "financial institution" under the Gramm-Leach-Bliley Act (15 U.S.C. §§ 6801–6809), or a "consumer reporting agency" under the FCRA. To the extent any information Company processes is "nonpublic personal information" governed by the Gramm-Leach-Bliley Act, Company maintains an information-security program consistent with the standards of the FTC Safeguards Rule, 16 C.F.R. Part 314.


14. State-Specific Terms

14.1 California. Sections 4 and 5 incorporate the required service-provider and contractor terms of Cal. Civ. Code §§ 1798.100(d) and 1798.140(ag) and (j) and the mandatory contract elements of 11 Cal. Code Regs. § 7051, and the certification in Section 4.3 satisfies Cal. Civ. Code § 1798.140(j)(1)(B). Company shall, on a forwarded deletion request, delete and instruct its Sub-processors to delete the Consumer's Personal Information as required by Cal. Civ. Code § 1798.105(c)(3), subject to the exceptions in Section 10.

14.2 Virginia, Colorado, Connecticut, and other processor-law states. Section 5 sets out the processor obligations required by Va. Code Ann. § 59.1-579(B), Colo. Rev. Stat. § 6-1-1305, Conn. Gen. Stat. § 42-524, the Texas Data Privacy and Security Act, and the comparable processor-contract provisions of every other Applicable Privacy Law, including documented instructions, personnel confidentiality, security, Sub-processor flow-down and objection rights, assistance with Consumer rights, breach notification and assessments, audit cooperation, and return or deletion of Personal Information at the end of the Service. Where a specific Applicable Privacy Law requires a term more protective than, or in addition to, those stated here, that term is deemed incorporated into this Addendum solely to the extent required and solely with respect to Personal Information subject to that law.

14.3 Determination of obligations by role. Consistent with Applicable Privacy Law, each party's obligations are determined according to its role in a given processing activity. This Addendum does not make either party responsible for the other's independent obligations as a Business/Controller or Service Provider/Processor for processing outside the scope of this Addendum.


15. International Data (Placeholder)

The Service is designed for use with U.S.-based Consumers, and the parties do not contemplate the processing of personal data subject to the EU General Data Protection Regulation or the UK GDPR. If the parties ever process personal data subject to the EU GDPR or the UK GDPR, they will, before such processing begins, execute an appropriate international data-processing addendum and, where required for cross-border transfers, the applicable Standard Contractual Clauses, which will supplement and, to the extent of any conflict as to such data, prevail over this Addendum. Until then, the Service is offered solely for use with U.S.-based Consumers and Customers.


16. Relationship to the MSA; Order of Precedence; Term

16.1 Incorporation. This Addendum forms part of, and is subject to, the MSA. Except as expressly modified here, all terms of the MSA — including the fee, billing, renewal, and cancellation terms; the TCPA, consent, do-not-call, caller-identification, and call-recording representations, warranties, and indemnities under which Customer owns and controls all required consent and Company acts solely as a technology provider; the confidentiality provisions; and the indemnification obligations — remain in full force and apply to this Addendum.

16.2 Order of precedence. In the event of a conflict, the order of precedence is: (1) an applicable Order Form; (2) the MSA; (3) the Acceptable Use Policy; (4) this Addendum; and (5) Company's other policies — except that, solely with respect to the processing of Personal Information within the scope of this Addendum, this Addendum controls over the MSA and the Acceptable Use Policy to the extent of a direct conflict, and any provision required by Applicable Privacy Law controls over any conflicting provision of the Agreement to the extent, and only to the extent, required by that law.

16.3 Liability. Each party's liability under or in connection with this Addendum is subject to the exclusions, limitations, and caps in the MSA and in Section 18 below; the parties intend that this Addendum not increase either party's aggregate liability under the Agreement, except where and to the extent Applicable Privacy Law makes such a limitation unenforceable.

16.4 Term. This Addendum takes effect on the Effective Date and continues for as long as Company processes Personal Information on Customer's behalf under the Agreement. Provisions that by their nature should survive termination — including Sections 6, 7, 10, 13, and 17 through 21 — survive.


17. Warranty Disclaimer

AS-IS. The Service is provided "AS IS" and "AS AVAILABLE," with all faults, and Company disclaims all warranties, express, implied, or statutory, including implied warranties of merchantability, fitness for a particular purpose, title, quiet enjoyment, accuracy, and non-infringement. AI output. The Service uses artificial-intelligence voice, text, transcription, and summarization. Company does not warrant that AI-generated calls, messages, transcripts, summaries, or outputs are accurate, complete, current, appropriate, or free of error, and such outputs may contain mistakes or "hallucinations." The Service is a productivity tool, not professional, legal, compliance, fair-housing, lending, or credit advice, and is not a substitute for the Customer's own judgment and human review. Customer is responsible for reviewing outputs before relying on them and for all decisions it makes (including any decision to sell, lease, approve, or deny). Company does not warrant any particular result, response time, lead conversion, or sales outcome.

18. Limitation of Liability

No indirect damages. To the maximum extent permitted by law, neither party is liable for any indirect, incidental, special, consequential, exemplary, or punitive damages, or for lost profits, revenue, goodwill, or data, however caused and under any theory, even if advised of the possibility. Cap. To the maximum extent permitted by law, Company's total cumulative liability arising out of or relating to the Service or these terms will not exceed the greatest of (i) the total fees Customer paid to Company for the Service in the twelve (12) months before the event giving rise to the liability, (ii) the total fees Customer paid to Company for the affected home under the applicable Order Form, or (iii) five hundred U.S. dollars ($500). Carve-outs. The cap and the exclusion of indirect damages above do not limit: (a) Customer's payment obligations; (b) Customer's indemnification obligations; (c) Customer's breach of the Acceptable Use Policy or of its consent, do-not-call, call-recording, consumer-protection, or fair-housing representations; (d) either party's breach of its confidentiality obligations; (e) either party's infringement or misappropriation of the other's intellectual property; or (f) any liability that cannot be limited under applicable law (including, under California law, liability for a party's own fraud or willful injury under Cal. Civ. Code § 1668). Company's own indemnification obligations remain subject to the cap and to the exclusion of indirect damages, except that Company's indemnity for third-party intellectual-property claims is capped at two times (2×) the amounts described in the cap rather than the base cap. Nothing limits a Consumer's non-waivable statutory rights. Consumer note (consumer-facing docs): Some jurisdictions do not allow certain limitations; in those, the above applies to the fullest extent permitted, and nothing limits non-waivable statutory rights.

19. Governing Law and Venue

Governing Law. This Addendum and any dispute arising out of or relating to it or the Service are governed by the laws of the State of California, without regard to its conflict-of-laws rules, and, as applicable, by the Federal Arbitration Act and other applicable federal law. The U.N. Convention on Contracts for the International Sale of Goods does not apply. Venue. Subject to the Arbitration section below, any claim that proceeds in court shall be brought exclusively in the state or federal courts located in Placer County, California, and each party consents to personal jurisdiction and venue there.

20. Binding Arbitration and Class-Action Waiver

PLEASE READ — THIS AFFECTS YOUR LEGAL RIGHTS. This section requires binding individual arbitration and waives class actions and jury trials — but only for people and entities that agree to it. If you were merely contacted by the Service and have not separately agreed to these terms, this section does not apply to you. (a) Who is bound. This Arbitration section applies only between Company and any person or entity that has affirmatively agreed to these terms by creating an account, subscribing to the Service, signing or clicking to accept an Order Form or these terms, or otherwise manifesting assent (each, a "Consenting Party"). It does not apply to, and Company does not assert arbitration or any class-action waiver against, any individual whom the Service merely calls, texts, or emails (a "Lead") who has not separately and affirmatively agreed to it. Company does not contend that receiving a communication from the Service, by itself, forms any agreement to arbitrate. (b) Scope / Delegation. For a Consenting Party, any dispute, claim, or controversy arising out of or relating to the Service, these terms, or the relationship between the Consenting Party and Company (including its breach, termination, or enforceability) will be resolved by final and binding individual arbitration, except as stated in (d), (e), and (f). Questions about the interpretation, scope, or enforceability of this Arbitration section are for the arbitrator; whether any agreement to arbitrate was formed is for a court. (c) Rules / Administrator / Fairness. Arbitration is administered by the American Arbitration Association (AAA) under its Consumer Arbitration Rules (for individuals) or Commercial Arbitration Rules (for entities), as modified here, and is governed by the Federal Arbitration Act. To ensure the process is fair and not a barrier to relief: (i) Company pays all AAA administrative and arbitrator fees for any individual (Consumer) claimant; (ii) each party is entitled to reasonable, bilateral discovery; (iii) the arbitrator is selected through AAA's neutral process; (iv) either party may elect the AAA optional appellate rules; (v) the arbitrator may award any individual remedy a court could, including any statutory fee-shifting or damages available to a prevailing party; and (vi) for a Consumer, hearings may be held remotely or in the Consumer's home county at the Consumer's election. (d) Public-injunction carve-out (McGill). Nothing in this section waives any party's right to seek public injunctive relief in a court of competent jurisdiction. A claim for public injunctive relief is not subject to arbitration or the class-action waiver, may be brought in court, and its assertion does not invalidate the remainder of this section. (e) Small-claims / IP carve-out. Either party may bring a qualifying individual claim in small-claims court, and either party may seek injunctive or equitable relief in court to protect intellectual property or Confidential Information. (f) Class / Collective / Representative Waiver. To the fullest extent permitted by law, a Consenting Party and Company agree to bring claims only in an individual capacity and not as a plaintiff or member of any class, collective, consolidated, or private-attorney-general proceeding, and the arbitrator may award relief only in favor of, and to the extent necessary to resolve, the individual party's claim. This waiver does not apply to any claim or remedy that applicable law does not permit to be waived. (g) Statutory-rights preservation. Nothing in this section shortens any limitations period, caps or excludes any damages, or waives any remedy that applicable law does not permit to be shortened, capped, or waived, including non-waivable rights and remedies under the Telephone Consumer Protection Act, state call-recording or privacy laws, or the Fair Credit Reporting Act. Where any provision of these terms would do so as to such a claim by a Consumer, it does not apply to that claim. (h) Mass arbitration. If 25 or more similar demands are filed by or with the assistance of the same or coordinated counsel, the demands will be administered under the AAA Mass Arbitration Supplementary Rules then in effect (or, if administered by JAMS, the JAMS Mass Arbitration Procedures then in effect), which preserve each claimant's right to an individual determination by a neutral arbitrator, to reasonable discovery, to input in arbitrator selection, and to appeal, and no determination in any claim binds any claimant who did not participate in it. (i) Blow-up / Severability. If the Class-Action Waiver in (f) is found unenforceable as to a particular claim or request for relief, that claim or request will be severed and may proceed in the courts of Placer County, California, while all other claims proceed in arbitration; the remainder of this section stays in effect. If any other part of this section is unenforceable, it is severed and the rest stays in force. (j) 30-Day Opt-Out. A Consenting Party may opt out of this Arbitration section by emailing Contact@lotly.ai within 30 days of first agreeing to these terms, stating the name and email associated with the account and a clear statement of opt-out. No account number is required. Opting out does not affect any other part of the agreement. (k) Jury-Trial Waiver. To the extent any claim by a Consenting Party proceeds in court, each Consenting Party and Company waive any right to a jury trial. (l) Limitations. A Consenting Party's claim must be filed within one (1) year after it arises, to the extent permitted by law (and this does not shorten any period that cannot be shortened by agreement or any non-waivable statutory period). This one-year limit does not apply to Company's claims for unpaid Fees, indemnification, or breach of confidentiality or the intellectual-property or use restrictions; and a claim for indemnification accrues no earlier than the date the underlying third-party claim is asserted against the indemnified party.

21. General

21.1 Changes to this Addendum. Company may update this Addendum from time to time. If Company makes a material change, it will provide reasonable prior notice by email to Customer's account contact, through the dashboard, or by posting the updated Addendum with a new "Last Updated" date. Changes required to comply with Applicable Privacy Law take effect as of the date required by that law. Customer's continued use of the Service after the effective date of an updated Addendum constitutes acceptance.

21.2 Severability. If any provision of this Addendum is held invalid or unenforceable, that provision will be enforced to the maximum extent permissible and the remaining provisions will remain in full force and effect.

21.3 Entire agreement. This Addendum, together with the MSA, the Acceptable Use Policy, any Order Form, and the appendices, constitutes the entire agreement of the parties regarding the processing of Personal Information and supersedes any prior data-processing terms on that subject.

21.4 Assignment. Company may assign this Addendum to an affiliate or a successor in connection with a merger, acquisition, reorganization, or sale of substantially all of its assets; Customer may not assign this Addendum without Company's prior written consent. Any assignment in violation of this Section is void.

21.5 Force majeure. Neither party is liable for any delay or failure to perform (other than payment obligations) caused by conditions beyond its reasonable control.

21.6 Notices. Legal notices to Company must be sent to Contact@lotly.ai and to 5754 Lonetree Blvd, Rocklin, CA 95765; notices to Customer may be sent to the account contact on file.

21.7 Headings. Headings are for convenience only and do not affect interpretation.

21.8 Survival. Sections 6, 7, 10, 13, 16.3, 16.4, and 17 through 21, and any other provision that by its nature should survive, survive termination or expiration of this Addendum.


Contact

Lotly Software LLC 5754 Lonetree Blvd, Rocklin, CA 95765 Email: Contact@lotly.ai

The Service is operated by Lotly Software LLC and is powered by Lotly's platform. "Powered by Lotly."


Appendix A — Processing Details

ItemDescription
Subject matterCompany's processing of Personal Information to provide the MHPSales.ai AI voice/text/email agent, dashboard, and related features to Customer.
Nature of processingIngesting leads from Customer's configured sources (e.g., Facebook Marketplace, Zillow, MHVillage, Craigslist, and inbound calls); placing and receiving calls using an artificial or AI-generated voice; sending text messages and emails; recording and transcribing calls; carrying out the Customer-configured, Customer-authorized multi-day follow-up cadence; booking showings; collecting and transmitting rental/park applications; and generating summaries and analytics — in each case on Customer's documented instructions.
PurposeTo perform the Service for and on behalf of Customer; no other purpose.
DurationFor the term of the Agreement and until deletion or return under Section 10, subject to legally required retention (including FCRA).
Categories of Consumers (data subjects)Customer's prospective manufactured-home buyers and rental prospects/leads; applicants who submit rental or park applications; and other individuals Customer directs the Service to contact.
Categories of Personal Information (Lead Data)Identifiers (name, telephone/mobile number, email address, postal or property address); communication content and metadata (call audio recordings, transcripts, SMS/MMS and email content, timestamps, call outcomes); lead-source and marketing information; showing/appointment details; and preferences expressed during interactions.
Categories of Personal Information (Applicant Data)Rental/park-application information as submitted, which may include contact and identity information and, to the extent submitted, income and residency information. Screening data (credit, income-verification, and background information) is processed under the FCRA by Lotly and its CRA partners per Section 13 and is not governed by this Addendum.
Sensitive Personal InformationTo the extent present in recordings, transcripts, or applications: Social Security numbers, financial-account information, and the contents of communications. Processed solely to provide the Service.
FrequencyContinuous and automated during the term (the Service operates on a 24/7 basis, subject to Customer's calling-window and other configuration).

Appendix B — Security Measures

Company maintains a written information-security program that includes, at a minimum, the following administrative, technical, physical, and organizational measures, which Company may update from time to time provided the updated measures are no less protective:

  1. Access controls — role-based access on a least-privilege, need-to-know basis; unique credentials; and multi-factor authentication for administrative access.
  2. Encryption — encryption of Personal Information in transit (TLS) and at rest, including encryption of Social Security numbers and financial-account information at rest and in transit.
  3. Network and infrastructure security — hosting with a reputable cloud infrastructure provider (AWS); firewalls, network segmentation, and secure configuration baselines.
  4. Personnel — confidentiality obligations, background-appropriate access provisioning, and periodic security-awareness training.
  5. Logging and monitoring — audit logging of access to Personal Information and monitoring for anomalous activity.
  6. Vendor oversight — security due diligence and written data-protection contracts with Sub-processors (Appendix C).
  7. Vulnerability management — patching, and periodic vulnerability assessment or testing.
  8. Incident response — a documented incident-response plan supporting the notification obligations in Section 9.3.
  9. Backup and resilience — routine backups configured to expire and be overwritten in the ordinary course.
  10. Data minimization and retention — processing limited to what is reasonably necessary and proportionate to the disclosed purposes, per a written retention schedule.

Appendix C — Sub-processors

Company engages the following Sub-processors to process Personal Information in providing the Service. The current list is set out below and is kept current by Company; Company will notify Customer of changes as described in Section 8.3.

Sub-processorFunction
VosyTelephony and AI conversational-voice processing for calls.
Accept.bluePayment processing (Customer billing).
Amazon Web Services (AWS)Cloud hosting and infrastructure.
Standard email/SMS/calendar providers as configured by Customer (e.g., Google/Microsoft calendars, A2P SMS carriers)Delivery of Customer-configured communications and scheduling.

Screening partners (FCRA-regulated; see Section 13). Tenant/park-application screening is performed by Lotly (the FCRA reseller) and its consumer reporting agency partners: TransUnion LLC (credit); One Source Technology, LLC d/b/a Asurint (criminal and eviction/housing records — currently held offline / not offered); and Pinwheel CRA Co. (income/employment verification, identity verification, and document authentication). These partners handle FCRA-regulated data under the FCRA and Lotly's applicant terms; MHPSales is not a consumer reporting agency.


Appendix D — Approved Jurisdictions

Company and its Sub-processors process and store Personal Information in the United States. Any additional jurisdiction must be added to this Appendix D by written agreement or Order Form before Personal Information is processed there.

[END OF DATA PROCESSING ADDENDUM]